Description

This query was build using Db_Select
single quote was properly escaped and passed to fetch method where it failed

The message is: 'Invalid bind-variable position ':d'

From what I can tell the :d was mistaken for named parameter
it only happens if the single quote was present in the same parameter
after removing it the query is processed correctly
$db->query("SELECT foo.bar FROM xxx WHERE (zzz = 'ab+c:d')");

I think this is not fixable because of the nature of pdo querys. A workaround is to use parametrized querys instead of the zend_db quoting features.

Posted by Karol Grecki (antych) on 2008-04-03T04:33:39.000+0000

The same query works fine with plain mysqli, I believe the problem lies in ZF code where placeholders are parsed

Posted by Sven Herrmann (sherrmann) on 2008-04-09T12:55:54.000+0000

Problem is caused by a typo in DB/Statement.php

Attached Patch to fix this

Posted by Wil Sinclair (wil) on 2008-04-18T13:20:27.000+0000

Please evaluate and categorize as necessary.

Posted by Karol Grecki (antych) on 2008-05-02T06:24:33.000+0000

Sven's patch seems to fix the problem, can it make its way into trunk please?

Posted by Karol Grecki (antych) on 2008-05-09T04:29:12.000+0000

I found another case when this happens and attached patch doesn't help this time.

A multi insert query with escaped quote and backslash (it's fine with just a quote):

REPLACE INTO foo VALUES
('rv:1.8.1.2) \'\\'),
('rv:1.8.1.7) ')

I put debug code around $sql = $this->_stripQuoted($sql); in Zend_Db_Statement::_parseParameters($sql) and it looks like that function fails to remove those quoted elements, instead the whole first row of values is gone and the second one is intact so later it triggers an exception because it contains ":1"

Posted by Karol Grecki (antych) on 2008-05-09T07:50:46.000+0000

Ok, the problem is the ending \ - escaped backlash was preventing this regex "/'(\'|[^'])'/" from matching ending quote
I modified the expression to ignore matching backslashes : "/'(\'|\{2}|[^'])'/"